Trojans the most common malware

Malware infections by type

Panda Security breaks the types of malware down into five categories and interestingly there is a difference between the number of samples seen and the infection rate. In other reports from security companies the embedding of malware into social media and the use of drive-by infections have been seen as key to increasing infection rates.

Over the quarter the types of malware detected and their infection rate was recorded by Panda Security as being:

Trojans: 71.16% / 76.25%

Viruses: 10.83% / 1.53%

Worms: 5.68% / 2.63%

Adware/Spyware: 4.32% / 5.43%

Other:7.57% / 14.39%

These numbers are interesting for several reasons. The first is that those writing or modifying viruses and worms are finding it hard to avoid detection by existing security products. There is never a time to be complacent around security but any time the numbers are getting better it is cause for a small celebration.

The rise of the Trojan is of considerable concern. While a large percentage are used to then steal personal details, they are also used to download other forms of malware. With the infection rate increasing faster than the number of new variants, it suggests that the security industry needs to do more in order to counter the increased threat.

Adware/Spyware a difficult problem to solve

Adware/Spyware is on the increase. Part of the reason is that the online marketing industry is getting better at getting its products into software installers. They have learned the lesson from the bloatware that accompanies all new devices and are paying some of the installer companies to include their product into their tool. Others are approaching companies with popular downloads and asking them to add their Adware into the installer for a fee.

There are two challenges here. The first is the online marketing industry where advertisers are desperate to get as much data on people as possible. This activity will continue to grow as it is unregulated and even where there are voluntary agreements to respect privacy, most of the online Ad sellers ignore it.

The bigger problem is the explosion of companies offering to supply ads to smaller websites. Like many sites, we are often approached by these companies but turn them away. The issue here is that many of them are aggregators and do little to no validation of the ads that they are serving onto sites. This means that they are an infection vector that can often get a website blocked.

Many of those distributing Adware have agreements with companies who are paid by Ad impression. It is in the interest of both parties to use Adware in order to drive up impressions and therefore revenue. Until this type of fraud is stamped out it will be a lucrative trade for many people.

Asia and Latin America

Across Panda Security’s customer base the average rate of detection of some form of malware was a whopping 32.21%. To all intents and purposes 1 in 3 users in a single quarter encountered some form of malware that was detected and dealt with. How many did not detect the malware and have been infected is hard to judge and any attempt to do so would be a wild estimate.

Given the attempts to educate corporate customers and individuals 32.21% does seem abnormally high but the reason can be found by looking at the countries where the highest infections occurred.

47.53% – China

43.11% – Turkey

41.97% – Peru

41.14% – Russia

40.93% – Argentina

40.13% – Bolivia

39.57% – Taiwan

39.21% – Guatemala

39.02% – El Salvador

38.89% – Ecuador

Only four European countries are rated above the average, Poland (38.48%), Slovenia (38.05%), Spain (36.37%) and Italy (33.97%). The US is also below the average here.

Old tricks such as Office macros and images that are not clear

There is rarely anything sophisticated about most attacks. This quarter Panda Security are reporting a return to the use of macros embedded in Office documents in order to infect computers. In an age where this is so well known as an attack vector it is surprising how effective it is.

Alongside this the criminals are taking advantage of a problem most people experience regularly – poorly displayed images. It is not uncommon in an email to have images that don’t seem to display. Some vendors do it to drive you to their website so that they can capture hits. In this instance, the malware writers use it to bypass the security on the machine and install a variety of nasty things.

It is not just macros and images in emails that are the problem. Images in social media and the use of shortened URLs are just as common an attack vector as people blindly click on them.

Cryptolocker raking in the cash

Like many of its competitors, Panda Security has been seeing a rise in the amount of Ransomware and specifically Cryptolocker. The most common infection route is that of macros and blurred images as detailed above.

Luis Corrons Technical Director of PandaLabs

Once installed, it is activated and the user has a small window of time to pay what is asked or lose all their data. Despite the occasional story around cybercriminals not honouring the unlocking of data, the vast majority do unlock on payment. However, there are problems with some of the variants of ransomware where the servers get taken down and the data cannot be unlocked because the key is now unavailable.

According to Luis Corrons, Technical Director of PandaLabs: “Cyber hackers are looking at businesses more and more as it is relatively easy for them to steal information. Sometimes it’s as simple as introducing a variant of Cryptolocker in a file that is sent to an employee and, once it’s opened, the security of the entire company is at risk”.

Conclusion

The increased rate of activity that Panda Security has seen will worry a lot of people in the security industry. Last quarter we saw a lot of vendors talking about attacks being on the decline as cybercriminals transitioned to more lucrative and long term attacks.

This new surge in attacks and the continued increase in ransomware products will cause concern for many CISO’s. Many companies have invested heavily in collaboration tools. This means that a return to infection through macros and image links should cause a lot of companies to take a step back and seriously review what they do in terms of continuous protection and scanning to stop this type of infection.

The only bright spot in this report is that viruses and worm infection rates are on the decline.

Ian has been a journalist, editor and analyst for over 30 years. While technology remains the core focus of Ian's writings he also covers science fiction, children toys, field hockey and progressive rock. As an analyst, Ian is the Cyber Security and Infrastructure Practice Leader for Creative Intellect Consulting Ltd.
A keen hockey goalkeeper, Ian coaches and plays for a number of clubs including Guildford Hockey Club, Alton Hockey Club, Royal Navy, Combined Services, UK Armed Forces and several touring sides. His ambition is to one day represent England. Ian has also been selected to be the goalkeeping coach for Hockey for Heroes, a UK charity supporting the UK Armed Forces.

2 COMMENTS

[…] were hit by DDoS attacks during 2014 and 78% of those targeted were hit more than once. A recent Panda security survey also showed that Malware was reaching record levels and it is easy to say that virtually no company on the internet has not […]

[…] organised crime and nation states are joining in what has been termed a cybersecurity war. The Panda Labs report for Q2 2015 showed increases in malware. The Ponemon Institute also had similar findings, revealing in its 2015 […]